Because “reset your password” is not enough!


Some weeks ago i’ve written a post about the rules that must be followed when your PC was hacked, talking about system restore, backups and password change.

So today i wat to share an interesting article by Ryan McGeehan focused on account takeover:

Victims of account takeover have a lot of work to do. Sometimes, “reset your password” is not enough.

The post is very complete, and covers all aspects of account recovery and mitigation of any personal data leak, here the content summary:

  • Start reviewing the account from a secure machine
  • Remove SMS Dependencies
  • Reset the password
  • Enable Multifactor / Two Step / Two Factor / Login Approvals
  • Inspect Sessions / Destroy Sessions
  • Remove applications that are unnecessary, suspicious, or unfamiliar
  • Secure any linked accounts or remove maliciously added accounts
  • Review recovery addresses for attack, or secure any existing accounts
  • Remove unknown phone numbers or vulnerable phone numbers
  • Review forwarding and filters that are pushing data externally
  • Remove any “Application Specific Passwords” that will bypass auth
  • Review devices that might be authenticated to the account
  • Facebook: Make sure “Trusted Contacts” was set up intentionally
  • Facebook: Make sure “Legacy Contact” was set up intentionally
  • Facebook: Profile Picture Login

Really interesting also the conclusion of the article, where Ryan give us some suggestions in order to investigate on an eventual “relapse”:

Upon a regression, reconsider the vector.

If a victim is compromised repeatedly after combing through their accounts and removing malicious access, there may be an underlying platform issue to consider.

Extensions
Review extensions in the browser for anything unfamiliar or unused. Keep in mind that seemingly innocuous extensions, intentionally installed by the victim, even if they are tech-saavy, can be bought and sold by miscreants and used for evil.

Host
If the browser is clean, sessions or passwords may be taken from the host itself from a malware issue. Malware cleanup out of scope from this runbook.

Keylogging
If dealing with a hilarious prank, or a physical threat, consider if a keylogger is installed physically on the device.

Network
If there are corporate MITM or other CA’s installed on the victim to perform a MITM attack, consider how they would be exposed.

Unreliable Victim
Is the victim logging into the malware ridden computer in the other room they haven’t told you about? Start over.

References

[embed]https://medium.com/@magoo/the-account-takeover-runbook-ab8ae163f616[/embed]
[embed]https://medium.com/@magoo/the-account-takeover-runbook-ab8ae163f616[/embed]